Nasty trojan has crippled my computer - please help!

By Sejanus
Jun 14, 2010
  1. Hi everyone,

    Last week, my computer was infected by the False Alert trojan (fake security alerts detailing "Unauthorsided access to your computer!" and the like, as well as new startup programs, and a constant attempt by a program to install a fake security program. The trojan also knocked Windows Defender and Ad-Aware out of action.

    At first I locked-down my computer with the McAfee firewall. What followed was a drawn-out battle for my computer's soul. I attempted scanning at least 10 times, but with no results, or my computer would display a message saying "You are about to be signed off. Critical program files have been damaged. Please restart your computer," and proceed to log me off before the scan finished. After evacuating files to an external hard drive, I connected back to the internet to update McAfee and Windows. After the update, McAfee detected the trojans and blasted them to smithereens. Further scanning yielded no results. I also attempted to download Malwarebytes, but the installer would not open as a result of this infection.

    It seemed like I had won, but following the removal of the trojans, WinPatrol was still reporting a new Start-Up program was attempting to hijack my system. Soon after, my computer could no longer open FireFox. Once again, I updated Windows and restarted. That seemed to seal the deal, as now my computer cannot open any .exe files/programs. This includes Firefox, IE, iTunes, McAfee, Ad-Aware..basically everything. At startup, the McAfee logo pops up in the system tray, but I cannot open the Security Center. The message says something like not being able to open the .exe file/not finding it.

    So, while I'm not optimistic about anyone having a solution, I thought I'd pop on here and put up an S.O.S. I apologize about the lack of exact file names/messages, but I'm at work, and since my computer can't access the internet...Well, here we are. Restoring Windows seems to be in my future, but let's see if anyone more tech-savvy than myself (read: probably all of you) can think of a last-ditch idea.

    Any help is appreciated!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll be glad to try and help with the malware, but I need information first:

    IF you would like us to check the system for malware please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, please leave the logs for our review.

    And be a bit more 'optimistic'- the fake alerts are a common type of malware!
  3. Sejanus

    Sejanus TS Rookie Topic Starter Posts: 34

    Thanks Bobbye. I'll try downloading the programs onto a USB drive at work and bringing them home. Hopefully I'll be able to open them.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As long as you have to use the flash drive, you can go ahead and downloadbut don't install yet the following: It is possible that the logs will leave can indicate something else be run instead:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Same for this> download but don't run yet:

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  5. Sejanus

    Sejanus TS Rookie Topic Starter Posts: 34

    UPDATE: Ran TFC successfully. Updating Windows/Java/Adobe. I noticed that there are two word files I had before that are now greyed out on my desktop with ".~lock." in front of the file name. Any idea what that's about?

    RIghto, I've completed all the steps and I'm back on my poor laptop. GMER didn't find anything, so the log is blank. Is that normal? The DDS log is too long to paste in, so I'll attach it. Also, DDS only popped up with the .txt log.

    Malware log:

    Malwarebytes' Anti-Malware 1.46

    Database version: 4199

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    6/14/2010 10:12:19 PM
    mbam-log-2010-06-14 (22-12-19).txt

    Scan type: Quick scan
    Objects scanned: 124357
    Time elapsed: 8 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqumogumamumuse (Trojan.Agent.U) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdipegala (Trojan.Agent.U) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Anthony\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Users\Anthony\AppData\Local\KBDTRsi.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.
    C:\Users\Anthony\AppData\Local\aroqidef.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

    Attached Files:

    • DDS.txt
      File size:
      22.6 KB
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sejanus- I missed this> you have a 64bit OS. GMER won't run on that and neither will Combofix, so you will need to run b]OTL[/b]
    • Download OTL from either of the links below and save it to your desktop.
      Link 1
      Link 2
    • Double click the OTL icon to run it.[​IMG]
    • The opened console will resemble this: [​IMG]
    • Set Output at the top to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      Make sure all other windows are closed and to let it run uninterrupted.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    There is a second log for DDS named Attach.txt. Please find that, zip as instructed and include it in next reply.

    Also run the Eset scan and leave log.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...